Mac OS X is soooo secure that Apple has designed the default setting in the Safari browser to allow “safe files” to download and execute automatically, making it super easy for the “MacGuard” successor to the “MacDefender” malware (that Apple has finally responded to) to install itself on OS X machines running in an admin account session… which an enormous number of Mac users–like Windows users–do.
I guess Apple bought into their own “OS X is secure” propaganda, because when Safari installs on Windows machines it, like all the other mature browsers–and even Internet Exploder *heh*–defaults to asking if the user is sure about downloading a file and warns it could be dangerous.
Oh, but that’s for Windows machines. Have to maintain the fiction of Mac invulnerability, so not gonna do that on OS X machines, no matter how it might endanger the users.
Dumb move, Apple. It’s already caught you with your pants down and until you admit your users need at least a warning, and get the word out widely in your user base, it’s gonna keep biting you on your bare ass.
It is going to be amusing to watch the slow awakening of folks who’ve accused anyone who pointed out the tiniest lil flaw in the Apple fantasy world of “hate speech” or worse when, little by little, their little fantasy world crumbles beneath their feet.
BTW, which OS was hacked first in the Pwn2Own meet recently? Hmmm? 😉 5 Seconds to fail.
On a most basic level the attack exploited Apple’s weak memory protections in OS X Snow Leopard. Microsoft, more popular and more commonly attacked, includes two critical types of memory protection — data execution prevention and robust address space layout optimization (ASLR) — both of which attempt to prevent memory injection attacks. By contrast, Snow Leopard only supports ASLR and the implementation is badly botched according to hackers.
The attack also exploited poor coding in Apple’s branch of WebKit, which features many bugs and security flaws. While Apple’s WebKit branch, which powers its Safari browser, shares a certain amount of code with Google’s WebKit browser Chrome, Google has added much more robust security layers and is less buggy.
Just sayin’.
In past years the contest has been dominated by OS X hacking/security pro Charlie Miller. So it was nice to see a fresh face for a change, though the MacBook was still the first to fall — as usual. Mr. Miller sums up OS X security the best, with his famous remark, “Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.”
Now, before anyone accuses me of “hating on Apple” please note that I’m just stating facts here, ‘K? Apple has deliberately misled folks for years about the security of OS X (not the “the MacBook was still the first to fall — as usual” comment above) and stonewalled AppleCare subscribers with, essentially, “Screw you” when asked for help with the “MacDefender” malware issue, so Apple deserves a swift kick in the ass, as far as I’m concerned. I’ve delivered a few M$’s way from time to time, and it’s only fair that when Apple acts evil that it gets some mud in its eye.